How to debug SSSD problems

From FedoraProject

This page is a draft only It is still under construction and content may change. Do not rely on the information on this page.

This page provides a few steps to self-diagnose problems encountered when using SSSD. For additional information on using SSSD, see https://fedorahosted.org/sssd.

Using the ping command, confirm you can you can contact the servers used when configuring SSSD.

Inspect the system logs /var/log/secure and /var/log/messages for suspicious log messages

If using TLS, verify that ...

The directory /etc/openldap/cacerts contains the certificate

The directory /etc/openldap/cacerts contains a hash symlink to the certificate

Enable SSSD debugging output

Setting debug_level = 5 in /etc/sssd/sssd.conf.

Next, restart SSSD by typing service sssd restart

Finally, inspect the SSSD log files for any clues /var/log/sssd/*

Verify that the services work when not called by SSSD.

For example, using a LDAP server IP of 10.1.0.7 and a base of dc=hurr,dc=org, you could search using a simple anonymous bind and with mandatory TLS to confirm LDAP server connectivity using ldapsearch.